The United States remains far ahead of all governments who request user information from Google, according to the company’s latest Transparency Report (July through December 2012) which was released on Wednesday.

American government agencies (including federal, state, and local authorities) made over 8,400 requests for nearly 15,000 accounts—far exceeding India, the next largest country in terms of information requests. In 88 percent of those queries, Google complied with at least some, if not all, of the requests.

For the first time, the search giant is also breaking down the type of legal requests that were made.

Google said that 22 percent of those requests were made under probable cause driven search warrants delivered via the Electronic Communications Privacy Act (ECPA). Authorities have also been known to request information using ECPA subpoenas, which are much easier to obtain. It's unclear how many of the subpoenas or warrants Google complied with—the company has only said it complied in part or in full to 88 percent of total requests from American authorities.

"In order to compel us to produce content in Gmail we require an ECPA search warrant," said Chris Gaither, Google spokesperson. "If they come for registration information, that's one thing, but if they ask for content of e-mail, that's another thing."

While relatively few tech companies publicly disclose how many government requests they get, Google appears to be one of the few e-mail providers that is challenging law enforcement agencies to produce a warrant to access users’ e-mail.

Beyond Google’s own convictions, the company can also take some comfort in the fact that in 2010 the Sixth Circuit Court of Appeals ruled that the Fourth Amendment protecting unreasonable searches and seizures also protects e-mail, even if it’s over 180 days old, despite what ECPA says.

An out-of-date law

Currently, law enforcement agencies have a fairly wide latitude when it comes to accessing users’ e-mail. That harsh reality was illustrated most clearly by the General David Petraeus sex scandal, in which intimate e-mails were revealed despite the lack of any criminal action.

As Ars’ own Tim Lee wrote in November, “ECPA requires a warrant to obtain freshly sent e-mail before it's been opened by the recipient. But once an e-mail has been opened, or once it has been sitting in the recipient's e-mail box for 180 days, a lower standard applies. These rules simply don't line up with the way modern e-mail systems work.”

The United States Senate took up ECPA reform last year, but that effort seems to have fallen by the wayside. Still though, because there hasn't yet been a ruling by the Supreme Court as to what standard applies, Google is clearly pushing for an interpretation that would protect users' privacy further.

Former Rep. Bob Barr (R-GA), wrote about ECPA in a letter to members of the Senate Judiciary Committee in September 2012: "[It] has created uncertainty the Leahy amendment [one of the proposed revisions] would replace with clarity: law enforcement officers would no longer wonder whether they should seek communications content without a warrant, or whether the warrant requirement applies in one jurisdiction but not another."

"This clarity will help ensure that seized evidence will not be suppressed at the end of the prosecution, thereby allowing a guilty party to escape punishment," Barr wrote.

...would replace with clarity: law enforcement officers would no longer wonder whether they should seek communications content without a warrant...

If a warrant is required to access and search my postal mail, then a warrant SHOULD BE REQUIRED to access and search my email. Just because it's electronic doesn't/shouldn't make a damned bit of difference.

Forget the Mega service, I'd much rather have encrypted IMAP hosting than file hosting. Except there is no way I'd trust a commercial company for this. It would have to be open source (and it would need to grow into a standard).

Tinfoil hat alert...Is it possible that US gov is paying people off to not develop this technology and release it as open source? It seems like this would be something there would be way more interest in.

If Google really wants to do something about email privacy they could implement this in Gmail...

Forget the Mega service, I'd much rather have encrypted IMAP hosting than file hosting. Except there is no way I'd trust a commercial company for this. It would have to be open source (and it would need to grow into a standard).

Tinfoil hat alert...Is it possible that US gov is paying people off to not develop this technology and release it as open source? It seems like this would be something there would be way more interest in.

If Google really wants to do something about email privacy they could implement this in Gmail...

I applaud google... When the users ask they often do... They want more transparency... done... They want to be able to get their data out of Google's services...done... They do not want targeted ads...done...

Email contents search always required a warrant. There's nothing new here. Google is obeying the law like other companies. This article makes it seem like Google is doing something special.

This is sadly incorrect. I'm not sure how you would even say that after reading either the article directly above or the article I linked to...

The article you linked cleared shows that email contents require a warrant, not just a subpoena. Non-contents of email activities don't require a warrant. The debate was about the status of email drafts but that's not the point here.

This article merely quotes Google:

"In order to compel us to produce content in Gmail we require an ECPA search warrant," said Chris Gaither, Google spokesperson.

Note the word CONTENT in there? So what is that Google did that deserved the title of this article? Sorry, I am still not seeing it.

Email contents search always required a warrant. There's nothing new here. Google is obeying the law like other companies. This article makes it seem like Google is doing something special.

This is sadly incorrect. I'm not sure how you would even say that after reading either the article directly above or the article I linked to...

The article you linked cleared shows that email contents require a warrant, not just a subpoena. Non-contents of email activities don't require a warrant. The debate was about the status of email drafts but that's not the point here.

That article did talk about drafts, but I don't see how you're missing that this article and that one are indeed talking about email contents. There's a reason it was a really big deal that the sixth circuit ruled the way they did, why ECPA reform is so important, and why it would be so great for the Supreme Court would take this up and strike down the silly nonsense that is the third party doctrine. And it's not because we want to protect email meta data. From the end of that article:

Quote:

The weak privacy protection for metadata and draft e-mails are two examples of a broader problem: the rules governing law enforcement access to e-mail are extremely murky, and do not adequately safeguard online users' privacy rights. Law enforcement access to e-mail is governed by the 1986 Electronic Communications Privacy Act, which has long since started to show its age. The ECPA requires a warrant to obtain freshly sent e-mail before it's been opened by the recipient. But once an e-mail has been opened, or once it has been sitting in the recipient's e-mail box for 180 days, a lower standard applies. These rules simply don't line up with the way modern e-mail systems work.

Meanwhile, current legal precedents cast doubt on whether the Fourth Amendment's guarantee against unreasonable searches applies to cloud-based e-mail services at all. A legal principle called the Third Party Doctrine suggests that users give up their Fourth Amendment rights when they entrust their information to third parties such as Google. Justice Sonia Sotomayor has expressed skepticism about the Third Party Doctrine, suggesting that the Supreme Court might overrule it at some point in the future. But in the meantime, the government appears to have significant powers to rifle through information we entrust to cloud service providers like Google.

(emphasis added)

Quote:

This article merely quotes Google:

"In order to compel us to produce content in Gmail we require an ECPA search warrant," said Chris Gaither, Google spokesperson.

Note the word CONTENT in there? So what is that Google did that deserved the title of this article? Sorry, I am still not seeing it.

As this article notes, the key words are actually "ECPA search warrant", as opposed to "ECPA subpoena". That requires a higher level of oversight of what law enforcement is doing and usually requires a higher standard of evidence for probably cause. It's a very good thing...it's the same level of protection we take for granted with our mail, for instance, and is, as other posters have noted, exactly what you would expect with how we use email in the modern world. Already opened email and email older than 180 days is not "abandoned", and the government should have as much difficulty getting access to it as they do things in my home.

Email contents search always required a warrant. There's nothing new here. Google is obeying the law like other companies. This article makes it seem like Google is doing something special.

This is sadly incorrect. I'm not sure how you would even say that after reading either the article directly above or the article I linked to...

The article you linked cleared shows that email contents require a warrant, not just a subpoena. Non-contents of email activities don't require a warrant. The debate was about the status of email drafts but that's not the point here.

This article merely quotes Google:

"In order to compel us to produce content in Gmail we require an ECPA search warrant," said Chris Gaither, Google spokesperson.

Note the word CONTENT in there? So what is that Google did that deserved the title of this article? Sorry, I am still not seeing it.

According to the ECPA, a warrant is only required if the email is unread and is less than 180 days old. Otherwise, a warrant is not required to read the CONTENT. Google is apparently asserting that, even though a warrant is not required by the ECPA, it's still a "search" in the constitutional sense and therefore still needs a warrant. Legally, I think this is at best debatable. Data held by third parties is generally not treated as private for search purposes, as I understand it, because of the third party doctrine (which basically says "you already gave it to a third party, therefore it can't be private for you").

This is my non-lawyer understanding but it seems to be far different from yours.

Forget the Mega service, I'd much rather have encrypted IMAP hosting than file hosting. Except there is no way I'd trust a commercial company for this. It would have to be open source (and it would need to grow into a standard).

Tinfoil hat alert...Is it possible that US gov is paying people off to not develop this technology and release it as open source? It seems like this would be something there would be way more interest in.

If Google really wants to do something about email privacy they could implement this in Gmail...

That would only work for emails sent to you encrypted with PGP. All the rest of the email you receive would be unencrypted on the server and this would be 100% speaking for myself. So we still need encryption of the mail database on the server to prevent the government intrusion talked about in this article.

Email contents search always required a warrant. There's nothing new here. Google is obeying the law like other companies. This article makes it seem like Google is doing something special.[/quote]

This is sadly incorrect. I'm not sure how you would even say that after reading either the article directly above or the article I linked to...[/quote]

The article you linked cleared shows that email contents require a warrant, not just a subpoena. Non-contents of email activities don't require a warrant. The debate was about the status of email drafts but that's not the point here.

This article merely quotes Google:

"In order to compel us to produce content in Gmail we require an ECPA search warrant," said Chris Gaither, Google spokesperson.

Note the word CONTENT in there? So what is that Google did that deserved the title of this article? Sorry, I am still not seeing it.[/quote]

According to the ECPA, a warrant is only required if the email is unread and is less than 180 days old. Otherwise, a warrant is not required to read the CONTENT. Google is apparently asserting that, even though a warrant is not required by the ECPA, it's still a "search" in the constitutional sense and therefore still needs a warrant. Legally, I think this is at best debatable. Data held by third parties is generally not treated as private for search purposes, as I understand it, because of the third party doctrine (which basically says "you already gave it to a third party, therefore it can't be private for you").

This is my non-lawyer understanding but it seems to be far different from yours.[/quote]

I missed the 180 day part earlier but I now see where you are coming from. But note that Google's quote and the author does NOT make it very clear that Google is really going beyond the 180 day requirement stated by the law. I guess one is supposed to infer that from the title but I'm not sure why it was not explicitly mentioned by Google nor the author. I suspect it's because it's not all clear cut as the title seems to suggest.

As to why I came out suspecting Ars being paid by Google, I've been reading Ars for a while and I've been noticing a definite bias against certain company and their partnering companies. You have to pay attention to details but it's there in the articles or titles of articles covering them. This title seemed to fit that pattern once again hence my outburst.[/quote]

At least Ars being paid about the good Google is doing not to smear its competitor, like, Microsoft for example?

According to Swedish law, its citizens have right to get a list of all data that companies store about them. Even Facebook comply to this law. Google is the only company that I have requested a list from that refuses to give it out. They don't give a reason.

I hope that this goes to trial as soon as possible. Even Google needs to follow the law and show its customers what data they store about them.

There are very few instances in which a delay to get a warrant would be unacceptable. Unless some sicko is live streaming himself molesting a kid or if some poor soul is committing suicide in front of their webcam, it's had to see how the cops can't take the time to meet the fairly low standards to get a search warrant.

Question: If you used an email client that pulled the emails directly off the server and deleted the server copy, wouldn't that render their attempts to get your email moot? (other than intercepting as they come in in the first place - but if they need to go through the email provider first, then that by definition means there'll be a time delay allowing your client to download the emails).

Headline potentially false - do not presume they are protecting users when instead they are far more likely to be protecting their environment, user data that they profit from, etc.

The number of downrank-votes on posts that call this out is honestly confusing. There is nothing here clearly proving that Google is "protecting its users", and until that is strictly called out there is no evidence that they are doing anything more than standard legal compliance and execution.

To wit, the only thing the Google spokesperson *did* specifically call out was that they require a warrant for records release.

I am all for Google protecting its userbase. I just want to actually know that's the driving motivator as opposed to some other driver. This article clearly does not tell us that is the case.

Forget the Mega service, I'd much rather have encrypted IMAP hosting than file hosting. Except there is no way I'd trust a commercial company for this. It would have to be open source (and it would need to grow into a standard).

Tinfoil hat alert...Is it possible that US gov is paying people off to not develop this technology and release it as open source? It seems like this would be something there would be way more interest in.

If Google really wants to do something about email privacy they could implement this in Gmail...

encryption, like the telephone or e-mail itself, is what economists call a network good: Its value to the individual user depends crucially on how many other people are using it.

Therefore you need a whole lot of people starting to use email encryption all at once in order for it to be useful to any of them. Due to the sheer size of their email service Google are in a fairly unique position to be able to bring this about right now if they want to in a way that the good folks behind GNU Privacy Guard really can't. Sadly, however, Google appear to prefer to be able to read your email themselves in order to better sell your eyeballs to advertisers.

Could it be that "the United States remains far ahead of all governments who request user information from Google" because it's the second largest highly-connected country and by far the largest with a large gmail-using population?

Perhaps the headline wasn't meant to suggest that google is going out of its way at all to protect data but rather that google is doing more than most other mail providers to protect data. And by that I mean that they are doing anything at all.

This is more of a technicality than anything, but how far does Google's policy for information required by warrants stretch?

What I mean by that is that as a company responsible for storing and protecting data of individuals (and businesses!), there is assuredly some kind of redundancy and, likely with Google, some harvesting of said information for search algorithms and analytics after a message has been deleted by the user. To wit, does Google provide deleted messages they still store for internal purposes (or just haven't gotten around to anonymizing/deleting yet) when a warrant is used, or do they only provide access to the current contents of the mailbox?

As to why I came out suspecting Ars being paid by Google, I've been reading Ars for a while and I've been noticing a definite bias against certain company and their partnering companies. You have to pay attention to details but it's there in the articles or titles of articles covering them. This title seemed to fit that pattern once again hence my outburst.

Question: If you used an email client that pulled the emails directly off the server and deleted the server copy, wouldn't that render their attempts to get your email moot? (other than intercepting as they come in in the first place - but if they need to go through the email provider first, then that by definition means there'll be a time delay allowing your client to download the emails).

Perhaps i'm missing something?

That is one way around it... I have my own Web hosting account, and mail server, so files are only kept there for a time, anyway (so as not to clog up server storage--not for security).

Besides--unless some system like PGP is used, sensitive information should NEVER be transmitted via e-mail...